Keep Out

Reminiscing about the good old days is not a pastime that owners of fast-growing businesses typically indulge in. But when it comes to the rapidly evolving world of technology security, it's hard to blame entrepreneurs for feeling nostalgic. The good old days were merely months ago, and they were a time of relative tranquillity for small companies.

That's because during that not-so-distant first wave of cybercrime, the bad guys spent most of their efforts stalking big game. "Originally, it was these geeky guys trying to hack into large institutions to brag about it to their friends," says Uday Shetgeri, senior vice president of electronic fraud at Frost Bank, a regional bank in San Antonio. "Now the hackers are finding it difficult to break into big businesses. They find it more lucrative to go after the small companies that don't have the resources to defend themselves."

Indeed, the organized cybercrime syndicates that have sprung up in recent years couldn't care less about burnishing their egos with tales of daring digital exploits. Instead, they are looking to steal information--usually personal data on customers--that they can convert into money on the black market, or use to purchase products they have no intention of paying for. And they are capable of commandeering hundreds of thousands of computers to randomly probe the Internet or wireless networks for weak security points. Small companies, it turns out, represent the path of least resistance.

How scary is it out there? The SANS Institute, an industry group that tracks computer security threats, found that it takes an average of just 20 minutes for an unprotected computer to become infected with a potentially debilitating virus, compared with 40 minutes in 2003. And the losses can be considerable. The Computer Security Institute, another industry group, and the FBI recently surveyed 313 organizations and found that computer crime cost companies an average of $168,000 in 2006. "If you have any online presence, no matter how small you are, they can find you," says Marty Lindner, a senior member of the tech staff at the Computer Emergency Response Team, or CERT, the Internet security research lab at Carnegie Mellon University. "And your money is as good as anyone else's."

The good news is that you don't have to become an expert in security technology to protect your business. Nor does the technology have to break the bank. Security vendors have put together a number of fairly comprehensive software packages to handle everything from worms and viruses to spam and phishing, the e-mail scams that trick consumers into divulging their account information. Experts recommend these "unified threat management" solutions over buying security software à la carte. Some offerings, such as McAfee's Total Protection for Small Businesses, are subscription-based packages that are offered as a service and cost about $35 per user a year.

These all-in-one security software suites do a good job of eliminating viruses, spam, spyware, and phishing, and they update themselves automatically as threats change. But they don't cover everything.

Of course, just as technology changes, cybercrooks change their tactics. Of particular concern right now are wireless networks, which are increasingly popular both in traditional offices and in retail environments. "Most wireless networks are not secured and encrypted sufficiently," says CERT's Lindner. Software vendors like Credant and Entrust specialize in protecting mobile environments and encrypting data, which basically renders all your sensitive information unreadable to all but the intended recipients. And Microsoft's new Vista operating system will support encryption as well. But companies that choose to encrypt data should first determine which data is most important to protect because the encryption process can often slow down the transfer of information.

Still, it's important to keep in mind that software can only go so far. About 18 months ago, Frost Bank began subscribing to an antiphishing service. Not long afterward, it found itself the victim of a phishing attack. "We were surprised," recalls Shetgeri. "The website the phishing e-mails directed our customers to looked identical to our own. These guys were pros." The new service helped Frost Bank shut down the bogus site. But the most effective weapon the bank had was its customers, who reported the problem in the first place. "Customer education is extremely important," says Shetgeri. "Without that, no amount of security we could put in place would work."

Now Frost sends its customers regular security alerts and devotes a section of its website to security education. It's also tightening up its authentication process for customer access to accounts. Rather than simply requiring a user ID and password, Shetgeri says the bank is adopting multifactor authentication, deploying software that captures information about the PC a customer is using (like IP address or the version of the browser) to further authenticate the customer's identity. The bank is also adding questions to its authentication process in the event that a customer is accessing the account from a PC he or she does not normally use.

The new measures haven't been the easiest sell to customers accustomed to easy online access. But the bank has characterized the new layers of security as something of value to the customer, and Frost has not lost business. "We haven't had any backlash," Shetgeri says. "It's their money we're trying to protect. I think they understand that."

Resources

For more on computer security, including a free risk-assessment tool--go to the website of Carnegie Mellon University's Computer Emergency Response Team, at www.cert.org.